I anticipated that Josh Corman’s talk at this week’s Energy SBOM Proof of Concept meeting would be good, and I certainly wasn’t disappointed – in fact, it was great. I’m going to describe it a little here, but I’m pleased to announce that the video is available – so you don’t have to take my word on any of this. Josh’s talk starts a little after the 12-minute mark and goes on for 22 minutes (his connection went down at one point, but he came back very quickly).
The meeting was devoted to
discussing use cases for SBOMs. It occurred to us in planning the meeting that one
of the best ways to address this topic was to hear from the two people most
responsible for the movement to make software bills of materials more than just
a nice concept, but a regular practice with well-understood (but not mandated) guidelines
for production and use. These two people were Dr. Allan Friedman, leader of the
National Technology and Information Administration’s Software Component
Transparency Initiative, and Josh, who coined the term SBOM, although he always points out that he wasn't the first one who had the idea of inventorying software components. They both
spoke at this week’s meeting on how they came to see SBOMs as an important
need, and why.
Allan spoke first (and led the
meeting, as he usually does). His talk was very good, and you should listen to
it. However, Josh’s was exceptional. He covered two topics: The events that led
him (and others) to believe that SBOMs were needed, and SBOM use cases. The
latter was based on the NTIA document whose development he led in 2019, Roles
and Benefits for SBOMs across the Supply Chain, which is one of the three
or four fundamental documents produced by the Initiative.
Below are some very interesting statements
he made in the “history” part of his talk. They’re certainly nowhere near everything
he said (he managed to get in lots of words in a short amount of time, without rushing
his words. Fortunately, in the video you'll be able to hear everything he says, if you’re not afraid to
back up at a few points during his discussion), nor can I swear that I didn’t
get a few things wrong.
1.
He remembers July 13,
2013 as the day that he woke up to the problem of software component vulnerabilities.
On that day, servers running Apache Struts 2 – an open source component of many
applications – were attacked
through previously-unknown vulnerabilities.
2.
Josh’s reaction then was
“It’s open season on open source. Who’s going to attack just one bank anymore,
when they can attack lots of targets through one component?”
3.
At the time of that
attack, Josh was in a high-level position at Akamai. However, he soon moved to Sonatype, an early leader in open source
dependency (component) management – and now one of the leading software
composition analysis tools.
4.
Probably the event
that woke most of the rest of us out of our blissful ignorance of the problem
of component vulnerabilities was the 2014 disclosure of the Heartbleed vulnerabilities
in the OpenSSL cryptography library in 2014, which was estimated to be found in
about half a million “secure” servers.
5.
Heartbleed – as far as
I know – didn’t lead to any major breaches, but it required a huge effort by a
huge number of organizations, just to find whether they had any vulnerable web
servers - and if so, where. Why was that? OpenSSL is a component of other
software, and often a component of other components, etc. Many organizations never
even found all the instances of OpenSSL that they were running. For example, Josh
says it took DHS six weeks to even answer the question of which federal
agencies were affected by Heartbleed.
6.
Meanwhile, some
financial companies knew in literally minutes or hours both whether and where
they were affected. Why was this the case? Because they had kind of proto-SBOMs.
Josh said the financial sector had woken up to this problem when he did – with the
Apache Struts 2 attacks.
7.
After this, Josh decided
to really dig into the idea of SBOMs and started reading Deming, who had
stressed the importance of bills of materials for manufactured products. Having
BOMs gave manufacturers the following advantages.
a.
They could have fewer,
but better parts.
b.
They could compare
quality of different suppliers and buy more from the high-quality ones.
c.
They could track which
parts went in which products, so that if there were a problem with a part, it
could be tracked down and replaced in any product in which it had been used.
8. All of these benefits have direct analogues in SBOMs.
Another seminal event both for Josh and for awareness of component vulnerabilities, was the 2015 SamSam ransomware attack on Hollywood Presbyterian Hospital. This attack exploited a vulnerability in the JBoss Java development platform (now called WildFly). The hospital had to shut down patient care for about one week (I'm told that isn't a good thing for a hospital to have to do).
9.
The hospital knew
about SamSam, but didn’t have any idea whether it was affected by the JBoss vulnerability and if so, where. Of course, this was because they had no SBOMs to
provide them that information.
10.
It was this and the
Wannacry attacks that caused the Food and Drug Administration, which regulates
medical devices like pacemakers and infusion pumps, to put out a “Pre-market
guidance” for those devices. While it didn’t require SBOMs immediately, it said
they would be required in the future. This galvanized the medical community to
start working on the problem of SBOMs and led to the creation of the NTIA
Initiative.
But there’s a lot more. Watch the
video!
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. Nor
are they shared by the National Technology and Information Administration’s
Software Component Transparency Initiative, for which I volunteer. If you would like to comment on what you
have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment